The smart grid represents an upgraded electricity network where two-way comprehensive management of electricity and its information is established between the supplier and the consumer. The smart grid can be considered as one of the largest IoT network that involves large number of smart objects that are deployed in the smart grid like: smart meters, smart appliances, sensors, electric vehicles, etc.

Although the use of IoT is very advantageous in the context of smart grids, but their dependency on resource-constrained objects and public Internet, makes it more vulnerable to cyber threats with devastating results.  As a result, vulnerabilities of communication networks may be exploited to launch cyber-attacks against its physical power system, such as power generation plants or substations.  It has been shown that network intrusions in smart grids may result in many negative consequences ranging from customer information leakage and cascade of failures to massive blackout and physical destruction of infrastructures.

Thus, It is very important to defend the smart grid against cyber-threats. The main step to ensure this defense is to perform a cyber-security risk assessment that can determine the impact and likelihood of cyber-attacks. Based on this assessment, security responses can be decided to handle the identified risks. Due to its heavy reliance on the cyber infrastructure for sensing and control, the smart grid will be exposed to new risks from IoT devices as well as inherit existing risks from physical vulnerabilities in the current power grid.

Many challenges are facing the design of cyber-security risk management in IoT-based smart grids. First, the integration of IoT devices with an already established power grid implies the need to design a cyber-risk management that considers large-scale and evolving cyber-threat vector. Second, the IoT devices are resource-constrained, which means that they run lightweight security solutions, which make them more vulnerable, and might act as an entry point to compromise the rest of the IoT-based smart grid network. Hence, the risk management approaches that were designed for power substations are not enough to tackle the vulnerabilities that are originated from IoT devices. Third, multiple interdependencies, uncertainties and dynamic interactions among the components of the network give rise to a very complex risk picture. Fourth, the IoT-based smart grid network interconnects millions of heterogeneous IoT devices, and the main issue is how handle the respond to the risk and restore the normal operation of the network in case of large-scale cyber-attack that compromises a large number of devices. Fifth, one additional requirement is that the risk response time to incidents must be effective to time-sensitive distribution and transmission subsystem that do not tolerate long failure time.